×

We regularly warn of impending threats, says Sanjay Bahl, DG, CERT-In

Interview/ Sanjay Bahl, DG, CERT-In

A Covid positive person could infect three or four persons, but a malware-infected cyber system can infect several times more. And “the global loss can be trillions of dollars,” warns India’s topmost cyber-warrior, Sanjay Bahl, who is director-general of the Indian Computer Emergency Response Team (CERT-In). Seated in his simple office in the Union ministry of electronics and information technology, Bahl said that last year alone India “battled more than 11 lakh cyberattacks, till October 15, 2021”.

With power, telecom, defence, finance, and health sectors facing ransomware attacks, CERT-In now trains users on defensive techniques, based on a new framework created by MITRE of the US and funded by the National Security Agency (NSA). As he was global chief security officer of Tata Consultancy Services and national security officer of Microsoft, Bahl knows well the threats faced by the private sector, too.

Excerpts from an exclusive interview:

Q/ How many incidents of cyber breaches were reported this year?

A/ In 2020, around 11.5 lakh incidents were tracked and reported. Last year, more than 11 lakh incidents were tracked and reported (as of October 15, 2021).

There are various kinds of threats ranging from state actors, cybercriminals and hackers, followed by threats from someone working inside financial institutions or other elements who went rogue.
Covid had a strike rate of three to four, when an infected person came in contact with others. An infected system will have a higher strike rate, due to the interconnected society that we live in.

CERT-In handles incident response, mitigation, and containment, and carries out drills and simulations. Training chief information security officers and network system administrators has been a major focus area for us. We have also been consistently sensitising users on the need to follow best practices. Keeping in mind the fast-changing cybersecurity threat landscape, we are constantly improvising.

Q/ How is CERT-In building capability in cyberthreat intelligence?

A/ The CERT-In threat intelligence exchange platform is based on Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) standards, which explain the “what” and “how” of threat intelligence. This helps facilitate automated bidirectional sharing of operational, strategic, enriched tactical threat intelligence to various counterparts and stakeholders in near real-time, thus helping to build a cyber-resilient ecosystem in Indian cyberspace.

Q/ How vulnerable is the power sector?

A/ A cyberattack on the power sector has the potential to cause a cascading impact, affecting dependant sectors and systems such as financial, communications, transportation and health care, leaving the population immobile, isolated, and vulnerable.

For the first time, we invited over 400 members from more than 135 power sector organisations, distributors, representatives of the power ministry for a simulation exercise, specially designed for the sector.

The mock drills for board members included unfolding of different real-life scenarios—such as a ransomware attack followed by a temporary grid collapse, challenges with media reports, regulations and laws. This was to help them look at a cybersecurity impact holistically and respond according to a risk-based approach. The second drill was for chief information security officers and senior managers for building cyber resiliency in power sector utilities.

Q/ What kinds of threats is the financial sector facing?

A/ The financial sector is one of the most lucrative targets for malicious actors. Here the defenders need to act at the technical and operational level simultaneously for detection and prevention of attacks.

There are various kinds of threats ranging from state actors, cybercriminals and hackers, followed by threats from someone working inside financial institutions or other elements who went rogue.

Some of the threats observed are ransomware attacks, business email compromises, supply chain attacks, data breaches and leaks, advanced malware activities, botnets and crypto-mining malware, spear-phishing attacks, advanced persistent threats, and fake and malicious mobile apps.

CERT-In and other agencies have together launched a self-paced e-learning certification course, which focuses on identifying the gaps in cybersecurity and developing a robust cybersecurity framework. Other agencies involved in the course are CSIRT-FIN (Computer Security Incident Response Team-Finance Sector), the National Institute of Securities Markets (which is part of SEBI) and Information Security Education Awareness programme of the ministry of electronics and IT, being coordinated by the Centre for Development of Advanced Computing (C-DAC) [The ISEA programme is implemented by C-DAC to spread awareness in information security].

Q/ How has the health care system been impacted during the pandemic?

A/ India’s health care sector does not have inter-connected IT infrastructure like in Europe and the US. As of now, in government hospitals, it is mostly the Central Government Health Scheme facilities that are online. In private hospitals, the administration and Out Patient Department (OPD) rely heavily on online networks.

During the pandemic, CERT-In has observed unauthorised probing of public-facing assets, ransomware attacks, fake Covid-related apps, advanced persistent threats, malware and phishing emails. Few of the health care facilities, when impacted by ransomware, have either discarded their online database once the threat was detected and managed to reload from backups or started updating patients’ records manually. So there has not been much thought to security and privacy concerns in a wholesome manner. But it is an evolving threat and we are preparing to plug gaps.

Q/ What kind of cyberthreats are we looking at as we enter a digital world?

A/ Imagine a scenario where there is a cyber pandemic. Covid had a strike rate of three to four, when an infected person came in contact with others. An infected system will have a higher strike rate, due to the interconnected society that we live in.

The comparison gives us an idea about how entire systems can shut down one after the other and how fast it can spread. Detection, mitigation and the financial costs involved are unthinkable. The global loss can be in trillions of dollars.

Cybercrimes will increase in the future because the fraudsters will always be two steps ahead of us. The attack surface is increasing rapidly as we move into a digital world with digital currencies. The attackers are keeping abreast and joining forces. A hosting expert will join hands with another running malware. When you set out to defend yourself, there is a need for greater cohesion and teamwork.